获取 unifiedRoleDefinition
命名空间:microsoft.graph
重要
Microsoft Graph /beta
版本下的 API 可能会发生更改。 不支持在生产应用程序中使用这些 API。 若要确定 API 是否在 v1.0 中可用,请使用 版本 选择器。
获取 RBAC 提供程序的 unifiedRoleDefinition 对象的属性和关系。
当前支持以下 RBAC 提供程序:
- 云电脑
- 设备管理 (Intune)
- 目录 (Microsoft Entra 目录角色)
- 权利管理 (Microsoft Entra 权利管理)
- Exchange Online
此 API 可用于以下国家级云部署。
全局服务 | 美国政府 L4 | 美国政府 L5 (DOD) | 由世纪互联运营的中国 |
---|---|---|---|
✅ | ✅ | ✅ | ✅ |
权限
根据 RBAC 提供程序以及 (委托的权限类型或所需的应用程序) ,从下表中选择调用此 API 所需的最低特权权限。 若要了解详细信息(包括在选择更多特权权限之前 要小心 ),请参阅 权限。
对于云电脑提供商
权限类型 | 权限(从最低特权到最高特权) |
---|---|
委派(工作或学校帐户) | RoleManagement.Read.CloudPC、CloudPC.Read.All、RoleManagement.ReadWrite.CloudPC、CloudPC.ReadWrite.All、RoleManagement.Read.All |
委派(个人 Microsoft 帐户) | 不支持。 |
应用程序 | RoleManagement.Read.CloudPC、CloudPC.Read.All、RoleManagement.ReadWrite.CloudPC、CloudPC.ReadWrite.All、RoleManagement.Read.All |
对于设备管理 (Intune) 提供程序
权限类型 | 权限(从最低特权到最高特权) |
---|---|
委派(工作或学校帐户) | DeviceManagementRBAC.Read.All、DeviceManagementRBAC.ReadWrite.All |
委派(个人 Microsoft 帐户) | 不支持。 |
应用程序 | DeviceManagementRBAC.Read.All、DeviceManagementRBAC.ReadWrite.All |
对于目录 (Microsoft Entra ID) 提供程序
权限类型 | 权限(从最低特权到最高特权) |
---|---|
委派(工作或学校帐户) | RoleManagement.Read.Directory、Directory.Read.All、RoleManagement.ReadWrite.Directory、Directory.ReadWrite.All |
委派(个人 Microsoft 帐户) | 不支持。 |
应用程序 | RoleManagement.Read.Directory、Directory.Read.All、RoleManagement.ReadWrite.Directory、Directory.ReadWrite.All |
对于权利管理提供程序
权限类型 | 权限(从最低特权到最高特权) |
---|---|
委派(工作或学校帐户) | EntitlementManagement.Read.All、EntitlementManagement.ReadWrite.All |
委派(个人 Microsoft 帐户) | 不支持。 |
应用程序 | EntitlementManagement.Read.All、EntitlementManagement.ReadWrite.All |
对于Exchange Online提供程序
权限类型 | 权限(从最低特权到最高特权) |
---|---|
委派(工作或学校帐户) | RoleManagement.Read.Exchange、RoleManagement.Read.All、RoleManagement.ReadWrite.Exchange |
委派(个人 Microsoft 帐户) | 不支持。 |
应用程序 | RoleManagement.Read.Exchange、RoleManagement.Read.All、RoleManagement.ReadWrite.Exchange |
HTTP 请求
获取云电脑提供商的角色定义:
GET /roleManagement/cloudPC/roleDefinitions/{id}
获取设备管理提供程序的角色定义:
GET /roleManagement/deviceManagement/roleDefinitions/{id}
获取目录提供程序的角色定义:
GET /roleManagement/directory/roleDefinitions/{id}
获取权利管理提供程序的角色定义:
GET /roleManagement/entitlementManagement/roleDefinitions/{id}
获取Exchange Online提供程序的角色定义:
GET /roleManagement/exchange/roleDefinitions/{id}
可选的查询参数
此方法支持 OData 查询参数来帮助自定义响应。 若要了解一般信息,请参阅 OData 查询参数。
请求标头
名称 | 说明 |
---|---|
Authorization | 持有者 {token}。 必填。 详细了解 身份验证和授权。 |
请求正文
请勿提供此方法的请求正文。
响应
如果成功,此方法在响应正文中返回响应 200 OK
代码和请求的 unifiedRoleDefinition 对象。
示例
示例 1:获取目录提供程序的自定义角色定义
请求
以下示例显示了一个请求。
GET https://graph.microsoft.com/beta/roleManagement/directory/roleDefinitions/f189965f-f560-4c59-9101-933d4c87a91a
响应
以下示例显示了相应的响应。
注意:为了提高可读性,可能缩短了此处显示的响应对象。
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#roleManagement/directory/roleDefinitions/$entity",
"id": "f189965f-f560-4c59-9101-933d4c87a91a",
"description": "Allows reading Application Registrations",
"displayName": "Application Registration Reader",
"isBuiltIn": false,
"isEnabled": true,
"isPrivileged": false,
"templateId": "f189965f-f560-4c59-9101-933d4c87a91a",
"version": null,
"rolePermissions": [
{
"allowedResourceActions": [
"microsoft.directory/applications/allProperties/read"
],
"condition": null
}
],
"inheritsPermissionsFrom": []
}
示例 2:获取目录提供程序的内置角色的定义
请求
以下示例显示了一个请求。
GET https://graph.microsoft.com/beta/roleManagement/directory/roleDefinitions/fdd7a751-b60b-444a-984c-02652fe8fa1c
响应
以下示例显示了相应的响应。
注意:为了提高可读性,可能缩短了此处显示的响应对象。
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#roleManagement/directory/roleDefinitions/$entity",
"id": "fdd7a751-b60b-444a-984c-02652fe8fa1c",
"description": "Members of this role can create/manage groups, create/manage groups settings like naming and expiration policies, and view groups activity and audit reports.",
"displayName": "Groups Administrator",
"isBuiltIn": true,
"isEnabled": true,
"isPrivileged": false,
"resourceScopes": [
"/"
],
"templateId": "fdd7a751-b60b-444a-984c-02652fe8fa1c",
"version": "1",
"rolePermissions": [
{
"allowedResourceActions": [
"microsoft.directory/groups/assignLicense",
"microsoft.directory/groups/create",
"microsoft.directory/groups/delete",
"microsoft.directory/groups/hiddenMembers/read",
"microsoft.directory/groups/reprocessLicenseAssignment",
"microsoft.directory/groups/restore",
"microsoft.directory/groups/basic/update",
"microsoft.directory/groups/classification/update",
"microsoft.directory/groups/dynamicMembershipRule/update",
"microsoft.directory/groups/groupType/update",
"microsoft.directory/groups/members/update",
"microsoft.directory/groups/owners/update",
"microsoft.directory/groups/settings/update",
"microsoft.directory/groups/visibility/update",
"microsoft.azure.serviceHealth/allEntities/allTasks",
"microsoft.azure.supportTickets/allEntities/allTasks",
"microsoft.office365.serviceHealth/allEntities/allTasks",
"microsoft.office365.supportTickets/allEntities/allTasks",
"microsoft.office365.webPortal/allEntities/standard/read"
],
"condition": null
}
],
"inheritsPermissionsFrom": [
{
"id": "88d8e3e3-8f55-4a1e-953a-9b9898b8876b"
}
]
}
示例 3:获取云电脑提供商的内置角色的定义
请求
GET https://graph.microsoft.com/beta/roleManagement/cloudPC/roleDefinitions/d40368cb-fbf4-4965-bbc1-f17b3a78e510
响应
注意:为了提高可读性,可能缩短了此处显示的响应对象。 所有属性都将通过实际调用返回。
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#roleManagement/cloudPC/roleDefinitions/$entity",
"id": "d40368cb-fbf4-4965-bbc1-f17b3a78e510",
"description": "Have read-only access all Cloud PC features.",
"displayName": "Cloud PC Reader",
"isBuiltIn": true,
"isEnabled": true,
"resourceScopes": [
"/"
],
"templateId": "d40368cb-fbf4-4965-bbc1-f17b3a78e510",
"version": null,
"rolePermissions": [
{
"allowedResourceActions": [
"Microsoft.CloudPC/CloudPCs/Read",
"Microsoft.CloudPC/DeviceImages/Read",
"Microsoft.CloudPC/OnPremisesConnections/Read",
"Microsoft.CloudPC/ProvisioningPolicies/Read",
"Microsoft.CloudPC/Roles/Read",
"Microsoft.CloudPC/SelfServiceSettings/Read"
],
"condition": null
}
]
}
示例 4:获取权利管理提供程序的内置角色的定义
请求
GET https://graph.microsoft.com/beta/roleManagement/entitlementManagement/roleDefinitions/ba92d953-d8e0-4e39-a797-0cbedb0a89e8
响应
注意:为了提高可读性,可能缩短了此处显示的响应对象。 所有属性都将通过实际调用返回。
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#roleManagement/entitlementManagement/roleDefinitions/$entity",
"id": "ba92d953-d8e0-4e39-a797-0cbedb0a89e8",
"displayName": "Catalog creator",
"description": "Catalog creator",
"isBuiltIn": true,
"isEnabled": true,
"templateId": "ba92d953-d8e0-4e39-a797-0cbedb0a89e8",
"version": "1.0",
"rolePermissions": [
{
"allowedResourceActions": [
"microsoft.entitlementManagement/AccessPackageCatalog/Create"
]
}
]
}
示例 5:获取Exchange Online提供程序的内置角色的定义
请求
GET https://graph.microsoft.com/beta/roleManagement/exchange/roleDefinitions/7224da60-d8e2-4f45-9380-8e4fda64e133
响应
注意:为了提高可读性,可能缩短了此处显示的响应对象。 所有属性都将通过实际调用返回。
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#roleManagement/exchange/roleDefinitions/$entity",
"id": "7224da60-d8e2-4f45-9380-8e4fda64e133",
"description": "This role enables administrators to manage address lists, global address lists, and offline address lists in an organization.",
"displayName": "Address Lists",
"isEnabled": true,
"version": "0.12 (14.0.451.0)",
"isBuiltIn": true,
"templateId": null,
"allowedPrincipalTypes": "user,group",
"rolePermissions": [
{
"allowedResourceActions": [
"(Microsoft.Exchange.Management.PowerShell.E2010) Get-AddressBookPolicy -ErrorAction -ErrorVariable -Identity -OutBuffer -OutVariable -WarningAction -WarningVariable"
],
"excludedResourceActions": [],
"condition": null
}
]
}
反馈
https://aka.ms/ContentUserFeedback。
即将发布:在整个 2024 年,我们将逐步淘汰作为内容反馈机制的“GitHub 问题”,并将其取代为新的反馈系统。 有关详细信息,请参阅:提交和查看相关反馈